5. Console Scanner Dr.Web Scanner
5.1. Command Line Parameters
Dr. Web Scanner is a command line interface (CLI) program operating in command line mode (or X Window terminal emulator). To run Dr.Web Scanner you can use the following command:
$
./drweb -path <path> [command line parameters]
where
<path>
- is the path to scanned directory or the mask for checked files.When Scanner is started only with
<path>
argument without any parameters specified, it scans the specified directory using the default set of parameters. In the following example user home directory is being checked:$ ./drweb -path ~
When scan is finished, Scanner outputs information about all detected infected and suspicious files in the following manner:
/path/file infected [virus] VIRUS_NAME
After presenting information about infected or suspicious files, Scanner outputs summary report in the following manner:
Report for "/opt/drweb/tmp":
Numbers divided by slash
«/»
mean: the first one - total number of files, the second one - number of files in archives.Please note, that Dr.Web distribution package contains special text file
readme.eicar.rus
. With the text editor you can easily create theeicar.com
program (refer to instructions insidereadme.eicar.rus
file for more details), which is used to test antiviruses and therefore is included in all virus databases.The following report will be output:
/opt/drweb/doc/eicar.com infected by Eicar Test File (Not a Virus!)
Like any other UNIX program Dr.Web Scanner supports numerous command line parameters. They are separated from specified path by white space and are prefixed by hyphen
«-»
. To get complete list of parameters, start Scanner with-?
,-h
or-help
parameters.Main program parameters can be classified in the following way:
●scan area parameters;
●diagnostics parameters;
●actions parameters;
●interface parameters.
Scan area parameters determine where the virus check must be performed. They include:
●
path
— specify path for scan. Several paths can be specified in one parameter;●
@[+]<file>
― check objects listed in<file>
.P
lus«+»
instructs Scanner not to delete files from the list of objects after scan is completed. List file may contain paths to directories that must be scanned regularly, or list of files to be checked only once;●
sd
― recursive search and scan of files in subdirectories starting from the current directory;Command Line Parameters
●
fl
― follow links, both to files and directories; links causing loops are ignored;●
mask
— ignore masks for file names.Diagnostics parameters determining what types of objects must be scanned for viruses:
●
al
― scan all files on specified drive or in specified directory;●
ar[d|m|r][n]
― scan files in archives (ARJ, CAB, GZIP, RAR, TAR, ZIP, etc.).d
- delete,m
- move,r
- rename archives containing infected objects,n
- archiver name output disabled. Archives can be in simple (*.tar
) or compressed forms (*.tar.bz2
,*.tbz
);●
cn[d|m|r][n]
― scan files in containers (HTML, RTF, PowerPoint,..).d
- delete,m
- move,r
- rename containers containing infected objects,n
- container type output disabled;●
ml[d|m|r][n]
― scan files in mailboxes.d
- delete,m
- move,r
- rename mailboxes, containing infected objects;n
- mailbox type output disabled;●
upn
― scan executable files packed with LZEXE, DIET, PKLITE, EXEPACK with compression type output disabled;●
ex
― diagnostics using file masks (seeFilesTypes
parameter in configuration file);●
ha
― heuristic analysis (search for unknown viruses).Actions parameters determine what actions must be performed if infected or suspicious files are detected. They include:
●
cu[d|m|r]
― cure infected files:d
- delete,m
- move,r
- rename infected files;Interface parameters configure Scanner report output and include:
●
v, version
– output information about product and Engine versions;●
ki
– output information about key file and its owner (in UTF8 encoding only);●
foreground[yes|no]
– enable Scanner to run in foreground or in background;●
ot
― output information to standard output (stdout
);●
oq
― disable information output;●
ok
― display«Ok»
for not infected files;●
log=<file>
― logging to specified file;●
ini=<file>
― use alternative configuration file;●
lng=<file>
― use alternative language file. If English interface has been chosen during installation, you may specifyru_scanner.dwl
file to display reports in Russian.You can use hyphen
«-»
postfix to disable the following parameters:-ar -cu -ha -ic -fl -ml -ok -sd -sp
For example, if you start Scanner with the following command:
Command Line Parameters
$ drweb -path <path>
-ha-heuristic analysis (enabled by default) will be disabled.By default (if Scanner configuration was not customized and no parameters were specified) Scanner starts with the following parameters:
-ar -ha -fl- -ml -sd
Default Scanner parameters (including scan of archives, packed files and mailboxes, recursive search, heuristic analysis, etc.) is sufficient for everyday diagnostics and can be used in typical cases. You can also use hyphen
«-»
postfix to disable some parameters, as it was explained above.Disabling scan of archives and packed files will significantly decrease antivirus protection level, because in archives (especially, self-extracting) enclosed in e-mail attachments viruses are distributed. Office documents potentially susceptible to infection with macro viruses (Word, Excel) are also dispatched via e-mail in archives and containers.
When you run Scanner with default parameters, no cure actions and no actions for incurable and suspicious files are taken. For these actions to be performed, you must specify corresponding command line parameters explicitly.
Set of actions parameters may vary in particular cases. We recommend the following:
●
cu
― cure infected files and system areas without deletion, moving or renaming infected files;●
icd
― delete incurable files;●
spm
― move suspicious files;●
spr
― rename suspicious files.When Scanner is started with
Cure
action specified, it will try to restore the previous state of infected object. It is possible only if detected virus is known virus, and cure instructions for it are available in virus database, though even in this case cure attempt may fail if infected file is seriously damaged by virus.If infected files are found inside archives they will not be cured, deleted, moved or renamed. To cure such files you must manually unpack archives to the separate directory and instruct Scanner to check it.
When Scanner is started with action
Delete
specified, it will delete all infected files from disk. This option is suitable for incurable (irreversibly damaged by virus) files.Action Rename makes Scanner replace file extension with a certain specified extension (
*.#??
by default, i.e. first extension symbol is replaced with«#»
symbol). Enable this parameter for files of other OS (e.g., DOS/Windows) detected heuristically as suspicious. Renaming helps to avoid accidental startup of executable files in these OS and therefore prevents infection by possible virus and its further expansion.With action Move enabled Scanner will move infected or suspicious files to the quarantine directory
(
/var/drweb/infected/
by default). This parameter actually has a little value because infected and suspicious files for other OS can not bring any damage to UNIX system. Moving of suspicious files for UNIX system itself can cause system malfunction and failure.Recommended Scanner command line for everyday use looks as follows:
$ drweb -path <path> -cu -icd -spm -ar -ha -fl- -ml -sd
Such command line can be saved as a text file and converted into the simple shell script by the following command:
# chmod a+x [file name]
However, default parameters can be changed in Scanner configuration file, which is described in the next section.
5.2. Configuration
Scanner can be used with default settings, but it is much more convenient to set it up according your specific requirements and situations. Scanner settings are stored in configuration file (
drweb32.ini
by default) which is located in/etc/drweb/
directory. To use another configuration file specify full path to it with command line parameter, e.g.:Configuration
$ /opt/drweb/drweb -ini=/opt/drweb/etc/drweb.ini
Description of configuration file structure and parameter types can be found in p. 1.5 of this Manual. Parameters are described in the order they are presented in main configuration file.
[Scanner]
section.EnginePath = {path to file, usual extension is *.dll}
Location of
drweb32.dll
module (Engine). This parameter is also used by update utility.Default value:
EnginePath = /opt/drweb/lib/drweb32.dll
VirusBase = {list of paths (masks) to files, usual extension is *.vdb}
Masks for loading virus databases. This parameter is also used by update utility. Multiple values are allowed.
Default value:
VirusBase = /var/drweb/bases/*.vdb,/var/drweb/bases/*.VDB UpdatePath = {path to directory}
This parameter is used by update utility (
update.pl
) and is mandatory.Default value:
UpdatePath = /var/drweb/updates/
TempPath = {path to directory}
Directory for Engine to create temporary files. Usually it is not used, but sometimes appears to be necessary for unpacking archives or when system is short of memory resources.
Default value:
TempPath = /tmp/
LngFileName = {path to the language file, usual extension is *.dwl}
Language file location.
Default value:
LngFileName = /opt/drweb/lib/ru_scanner.dwl Key = {path to license key file, usual extension is *.key}
Key file location (license or demo).
Default value:
Key = /opt/drweb/drweb32.key OutputMode = {Terminal | Quiet}
Information output mode at start:
Terminal
outputs to console,Quiet
disables output.Default value:
OutputMode = Terminal HeuristicAnalysis = {Yes | No}
Enable/disable heuristic detection of unknown viruses. Enabling heuristic analysis allows detection of unknown viruses using knowledge about specific architecture of viral code. Approximate nature of this type of virus detection makes us talk about «suspicious», not «infected» objects. With this option disabled only known viruses will be detected by Dr.Web.
Some programs may trigger heuristic analyzer name files «suspicious» by mistake due to code similar to virus structure.
Besides, this mode may slightly increase time of virus scan. These considerations may lead you to disabling heuristic analysis. At the same time, heuristic analysis improves reliability of antivirus protection. We recommend you to send all
Configuration
files detected by heuristic analyzer to developers using http://vms.drweb.com/sendvirus/ (preferably) or via e-mail [email protected]. Follow this procedure to upload files: make password protected archive, include password in message body and attach Scanner report.
Default value:
HeuristicAnalysis = Yes ScanPriority = {value}
Scanner process priority. Value must be within
–20
(highest priority) to20
(lowest priority) range.Default value:
ScanPriority = 0 FilesTypes = {list of extensions}
File types to be checked «by type», i.e. when
ScanFiles
parameter (explained below) hasByType
value.«*»
and«?»
symbols are allowed. This parameter can be multi-string (specified lists are summed up).Default value:
FilesTypes = EXE, COM, SYS, OV?, BAT, BIN, DRV, PRG, BOO, SCR, CMD, VXD, 386, DLL, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VB*, JS*, INF, AR?, ZIP, R??, PP?, OBJ, LIB, HLP, MD?, INI, MBR, IMG, CSC, CPL, MBP, SHS, SHB, PIF, SO, CHM, REG, XML, PRC, ASP, LSP, MSO, OBD, THE*, NWS, SWF, BMP, MPP, OCX, DVB, CPY, MSG, EML
FilesTypesWarnings = {Yes | No}
Notify about files of unknown types.
Default value
:
FilesTypesWarnings = Yes ScanFiles = {All | ByType}
Additional restriction for files to be checked. With
ByType
value set, file extensions specified either by default or inFilesTypes
parameter (or parameters) are considered. ModeAll
is always enabled for files in mailboxes.ByType
value can be used only in local scan mode.Default value:
Enable/disable extracting files archived with ZIP (WinZip, InfoZIP, etc.), RAR, ARJ, TAR, GZIP, CAB and other archivers.
Default value:
Configuration
ExcludePaths = {list of paths (masks) to be excluded from scan}
Masks for files which should not be checked.
Default value:
Mask for renaming infected or suspicious files if action
Rename
is specified. For example, when rename mask looks like:#??
- the first character of file extension will be replaced by«#»
symbol, and all other subsequent characters will be preserved. If file has no extension, it will consist only of«#»
symbol.Default value:
Enable/disable action
Delete
for compound objects (archives, mailboxes, html pages) if they contain infected files.Please note: with this option enabled the whole compound object will be deleted (archive, mailbox, etc.), not only infected file or message. Use this option carefully!
Default value:
EnableDeleteArchiveAction = No
InfectedFiles = {Report | Cure | Delete | Move | Rename | Ignore}
Sets program reaction when file infected with known virus is detected. Allowable parameter values include:
●
Report
― output information to log file;●
Cure
― try to cure an object (only forInfectedFiles
parameter);●
Delete
― delete infected file;●
Move
― move file to directory specified byMoveFilesTo
parameter;●
Rename
― rename file using mask specified byRenameFilesTo
parameter;●
Ignore
– skip the file.Default value:
InfectedFiles = Report
Delete
,Move
andRename
actions, specified for archives, containers and mailboxes containing infected files, are applied to the whole archive, container or mailbox!Similar values are also used for the following parameters:
●
SuspiciousFiles
― file is probably infected by unknown virus;Configuration
●
ActionAdware
— file contains program for displaying advertisements (adware);●
ActionDialers
— file contains dialer program;●
ActionJokes
— file contains joke program, which can frighten or irritate user;●
ActionRiskware
— file contains dangerous program, which can be used not only by its legitimate user, but also by the intruder;●
ActionHacktools
— file contains hacking tool;●
ActionInfectedMail
― mailbox contains infected file;●
ActionInfectedArchive
― archive (ZIP, TAR, RAR, etc.) contains infected file;●
ActionInfectedContainer
― container (OLE, HTML, PowerPoint, etc.) contains infected file.For all these parameters same values as for
InfectedFiles
parameter (except forCure
action) can be specified.Default value for each parameter:
LogFileName = {path to log file}
Log file name. You can specify
syslog
as log filename and logging will be carried out bysyslogd
system service. In this caseSyslogFacility
andSyslogPriority
parameters must be also specified. Assyslogd
uses several files for logging various events of different importance, these two parameters andsyslogd
configuration file (usually/ etc/syslogd.conf
) determine location where information is logged to.Default value:
LogFileName = syslog
SyslogFacility = {Daemon | Local0 .. Local7 | Kern | User | Mail}
Log type when
syslogd
system service is used for activity logging (please refer tosyslog
documentation for further details).Default value:
SyslogFacility = Daemon
SyslogPriority = {Alert | Warning | Notice | Info | Error}
Log priority when
syslogd
system service is used.Default value:
SyslogPriority = Info
LimitLog = {Yes | No}
Configuration
Enable/disable limit for log file size. When
LogFileName = syslog
, parameter value is ignored. When Scanner is started it checks log file size and if it exceedsMaxLogSize
parameter value, log file contents get cleared and log file is started from scratch.Default value:
LimitLog = No MaxLogSize = {value in Kbytes}
Maximum log file size. Can be used with
LimitLog = Yes
only.Default value:
MaxLogSize = 512 LogScanned = {Yes | No}
Enable/disable logging of information about all scanned objects, not only about infected and suspicious.
Default value:
LogScanned = Yes LogPacked = {Yes | No}
Enable/disable logging of additional information about files packed with DIET, PKLITE and other utilities.
Default value:
LogPacked = Yes LogArchived = {Yes | No}
Enable/disable logging of additional information about files archived with various archiving utilities.
Default value:
LogArchived = Yes LogTime = {Yes | No}
Enable/disable logging of time for each record. Parameter is not used if
LogFileName = syslog
. Default value:LogTime = Yes LogStatistics = {Yes | No}
Enable/disable logging of total scan statistics.
Default value:
LogStatistics = Yes RecodeNonprintable = {Yes | No}
Nonprintable characters output mode for given terminal.
Default value:
RecodeNonprintable = Yes RecodeMode = {Replace | QuotedPrintable}
Decoding mode for nonprintable characters if
RecodeNonprintable = Yes
. WhenRecodeMode = Replace
all nonprintable characters are substituted withRecodeChar
parameter value (see below). WhenRecodeMode = QuotedPrintable
all nonprintable characters are converted toQuoted Printable
format.Default value:
RecodeMode = QuotedPrintable
Configuration
RecodeChar = {"?" | "_" | ...}
Symbol to replace nonprintable characters if
RecodeMode = Replace
. Default value:RecodeChar = "?"
The following parameters can be used to reduce archive scan time (some objects in archives will not be checked).
MaxCompressionRatio = {value}
Maximum compression ratio, i.e. ratio of unpacked file size to packed file size (inside archive). If the ratio exceeds specified value, file will not be extracted and therefore will not be checked.
Default value:
MaxCompressionRatio = 5000
CompressionCheckThreshold = {value in Kbytes}
Minimum size of file inside archive beginning from which compression ratio check will be performed (if it is specified by
MaxCompressionRatio
parameter value).Default value:
CompressionCheckThreshold = 1024 MaxFileSizeToExtract = {value in Kbytes}
Maximum size of file extracted from archive. If file size inside archive exceeds specified value, it will be skipped.
Default value:
MaxFileSizeToExtract = 500000 MaxArchiveLevel = {value}
Maximum archive nesting level (archive in archive in archive, etc.). If archive nesting level exceeds specified value, it will be skipped.
Default value:
MaxArchiveLevel = 8
5.3. Start
To start Dr.Web Scanner you can use the following command:
$ /opt/drweb/drweb
If
/opt/drweb/
directory is added toPATH
environment variable, you can run Dr.Web Scanner from any directory only by typing«drweb»
. However, the last variant (as well as making a symbolic link to Dr.Web Scanner executable file in directories like/bin/
,/usr/bin/
, etc.) is not recommended due to security reasons.Dr.Web Scanner can be started both with Administrator and user rights. In the last case virus check will be executed only in directories, where user has read access, and infected files will be cured only in directories, where user has write access (usually it is user home directory,
$HOME
). There also exist some other restrictions when Scanner is started with user rights, for example, with moving and renaming infected files.After Scanner is started, it outputs the following information: program name, platform name, version number, release date and contact information. Then it shows user registration information and statistics about loaded virus databases including add-ons (if installed):
Dr.Web (R) Scanner for Linux, v5.0.0 (February 19, 2009) Copyright (c) Igor Daniloff, 1992-2009
Support service: http://support.drweb.com/
Start
To purchase: http://buy.drweb.com/
Program version: 5.0.0.10060 <API:2.2>
Engine version: 5.0.0.9170 <API:2.2>
Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 1533 Loading /var/drweb/bases/drw50012.vdb - Ok, virus records: 3511
---Loading /var/drweb/bases/drw50000.vdb - Ok, virus records: 1194 Loading /var/drweb/bases/dwn50001.vdb - Ok, virus records: 840 Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 78674 Loading /var/drweb/bases/drwrisky.vdb - Ok, virus records: 1271 Loading /var/drweb/bases/drwnasty.vdb - Ok, virus records: 4867 Total virus records: 538681
Key file: /opt/drweb/drweb32.key Key file number: XXXXXXXXXX
Key file activation date: XXXX-XX-XX Key file expiration date: XXXX-XX-XX
After this report shell invitation is returned. All other Scanner actions (detection, cure, etc.) require additional command line parameters.